top of page
  • CCS

Internal Control Components: Risk Assessment

Updated: Dec 30, 2022

Risk assessment is the second of the five internal control elements.

An effective risk assessment process implemented and maintained by management would provide important information needed to determine what business/fraud risks should be managed so that appropriate actions can be taken.



Management may initiate plans or programs or implement policies and procedures to address specific risks.

Or, it may decide to accept a risk because of cost or other considerations.

If the entity’s risk assessment process is appropriate to the circumstances, it will assist the auditor in identifying risks of material misstatement.



A risk assessment process would normally address such matters as:

  • Changes in the operating environment;

  • New senior personnel;

  • New or revamped information systems;

  • Rapid growth;

  • New technology;

  • New business models, products, or activities;

  • Corporate restructurings (including divestitures and acquisitions);

  • Expanded foreign operations; and

  • New accounting pronouncements.


  • 经营环境的变化;

  • 新的高级人员;

  • 新的或改造过的信息系统;

  • 迅速增长

  • 快速增长; - 新技术;

  • 新的商业模式、产品或活动;

  • 公司重组(包括资产剥离和收购);

  • 扩大国外业务;以及

  • 新的会计公告。

In smaller entities where a formal risk assessment process is unlikely to exist, the auditor would discuss with management how business risks are identified and how they are addressed.

Matters the auditor should consider are how management:

  • Identifies risks relevant to financial reporting;

  • Estimates the significance of the risks;

  • Assesses the likelihood of their occurrence; and

  • Decides upon actions to manage them.



  • 识别与财务报告相关的风险;

  • 估算风险的重要性;

  • 评估其发生的可能性;以及

  • 决定管理这些风险的行动.

The auditor is also required to evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances or determine whether it represents a significant deficiency in internal control.

If the auditor identifies risks of material misstatement that management failed to identify, he/she should consider:

  • Why did management’s processes fail?

  • Are the processes appropriate to the circumstances?



  • 为什么管理层的程序会失败?

  • 这些程序是否适合当时的情况?

If a significant deficiency exists in the entity’s risk assessment process (or there is no process), it would be communicated to management and those charged with governance.


Conditions and Events That May Indicate Risks of Material Misstatement

Appendix 2 of ISA 315 (Revised) contains a useful list of possible conditions and events that may indicate the existence of risks of material misstatement as below:-

The examples provided cover a broad range of conditions and events; however, not all conditions and events are relevant to every audit engagement, and the list of examples is not necessarily complete. 
  • Operations in economically unstable regions include countries with significant currency devaluation or highly inflationary economies.

  • Operations exposed to volatile markets, for example, futures trading.

  • Operations that are subject to a high degree of complex regulation.

  • Going concerned and liquidity issues, including loss of significant customers.

  • Constraints on the availability of capital and credit.

  • Changes in the industry in which the entity operates.

  • Changes in the supply chain.

  • Developing or offering new products or services or moving into new lines of business.

  • Expanding into new locations.

  • Changes in the entity, such as large acquisitions, reorganisations, or other unusual events.

  • Entities or business segments likely to be sold.

  • The existence of complex alliances and joint ventures.

  • Use off-balance sheet finance, special-purpose entities, and other complex financing arrangements.

  • Significant transactions with related parties.

  • Lack of personnel with appropriate accounting and financial reporting skills.

  • Changes in key personnel, including the departure of key executives.

  • Deficiencies in internal control, especially those not addressed by management.

  • Inconsistencies between the entity’s IT strategy and its business strategies.

  • Changes in the IT environment.

  • Installation of significant new IT systems related to financial reporting.

  • Inquiries into the entity’s operations or financial results by regulatory or government bodies.

  • Past misstatements, history of errors or significant adjustments at period end.

  • A significant amount of non-routine or non-systematic transactions, including intercompany transactions and large revenue transactions at period end.

  • Transactions that are recorded based on management’s intent, for example, debt refinancing, selling assets, and classification of marketable securities.

  • Application of new accounting pronouncements.

  • Accounting measurements involve complex processes.

  • Events or transactions that involve significant measurement uncertainty, including accounting estimates.

  • Pending litigation and contingent liabilities, for example, sales warranties, financial guarantees and environmental remediation.



  • 在经济不稳定地区的业务包括货币大幅贬值或经济高度膨胀的国家。

  • 暴露于动荡市场的业务,例如期货交易。

  • 受高度复杂监管的业务。

  • 持续经营和流动资金问题,包括失去重要客户。

  • 对资本和信贷供应的限制。

  • 实体经营所在行业的变化。

  • 供应链的变化。

  • 开发或提供新产品或服务,或进入新的业务领域。

  • 扩展到新的地点。

  • 实体的变化,如大型收购、重组或其他异常事件。